cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
867
Views
5
Helpful
4
Replies

vpn and active directory

suthomas1
Frequent Contributor
Frequent Contributor

Hello,

We are working towards a new remote vpn likely to be cisco ASA. The pull between different teams involved is if a radius(ISE) is needed or should the ASA be just integrated to talk directly with active directory servers and use groups within from there.

 

Please help with what are the possible downfalls for either of these and especially from a security perspective.

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.

View solution in original post

4 Replies 4

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.

suthomas1
Frequent Contributor
Frequent Contributor

Thanks, but i have also been told security is a concern if the asa directly talks to directory hence the need for a radius in between apart from the usual funky stuff that may be done with radius?

I don't buy that argument - it's like saying that ISE is more trustworthy to talk LDAP to your AD servers than ASA is in talking LDAP to AD. ASA is a hardened appliance and designed for security purposes. ISE is the same. But ISE is just a middle man in this case and adds no value ... only adds another point of failure and licensing cost. So that's my argument against using any RADIUS server in this scenario.

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

You can directly integrate ASA with LDAP authentication - Until you have any reason to involve ISE here.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers